I was thinking the other day and I realized that CSFB is meant to be used only if VoLTE cannot be used for some reason. That sounded strange to me as in order to be able to use CSCF you need the special combined EPS/IMSI attach but in some cases you may find yourself unable to use VoLTE after you attach. On example of such case is when the network prefers VoLTE and the UE is able to do VoLTE but IMS voice is not available (for example the registration to the IMS network fails). To find the answer to my questions I turned to TS 23.221, maybe it can help in some way.

What I found is than an UE can be either voice centric or data centric. This usage setting basically tells the network what’s more important for that UE (voice or data). For example a voice centric UE will disconnect from E-UTRAN and try GERAN/UTRAN if it is not able to obtain voice service in E-UTRAN while a data centric UE will not do that.

Now, there’s another setting on the UE which is called voice domain preference and has one of four values CS Voice only, IMS PS Voice only, CS voice preferred, IMS PS Voice as secondary, IMS PS voice preferred, CS Voice as secondary. Based on these 2 settings and what happens in the network the UE will prefer one of the following 4 states:

Voice centric UE

Data centric UE

CS Voice preferred/ CS Voice only

CS/PS mode 1

CS/PS mode 2

IMS PS Voice preferred/ IMS PS Voice only

PS mode 1

PS mode 2

* an IMS PS Voice preferred UE may still be connected to both systems.

* an IMS PS Voice Only UE will not use combined attach or CSFB

*TS 23.221 Annex A gives guidance on how a CS and IMS capable UE should behave.

On the other hand, the network has its settings and preferences too. When an UE attempts to do a combined attach, the network may inform the UE of its settings, like CS Fallback not preferred, SMS-only (the CS network is to be used to SMS over SGs only, not for CSFB) or IMS voice not available. The UE may transition between these states if its settings or the network’s settings change. Also an UE in a PS mode state will transition to the corresponding CS/PS mode state if IMS is unavailable for some reason.

Now, in order to do CSFB or SMS over SGs one needs to be in one of the CS/PS modes. To be in one of these modes the UE needs to do a combined EPS/IMSI attach. Now let’s say our UE is set to prefer the IMS for voice calls but its registration to the IMS network fails for some reason or the network indicates to the UE it does not support PS voice. In this case the UE is already connected to the EPS network but most likely not to the CS network and in order to use CSFB it needs to transition to a combined EPS/IMSI attach situation. To do this the UE will do a Combined TA/LA Update Procedure (TS 23.272 section 5.4.1).

Later edit:

Relevant specs for the UICC side:

TS 24.008 – Layer 3 specifications, Core network protocols

TS 31.102 – USIM Applications

Why? : Because I would like to see in more detail how this entire CSFB/SRVCC story happens at the UE+UICC(SIM) level.

I have just had a series of talks the past weeks with a good friend of mine. He is a Security Architect for a large company up north. I’m curious about what he is doing there, so initially I was thinking of organising our discussions as some form of an interview. Later on, my proverbial laziness got the best of me, so I downgrade our nice chat to a short blog post (this one).

Bottom line: I’ve asked him what it means to be a SecurityArchitect. It went somewhere along these lines:

What are you doing there? Is it cool? Is it nice? Do you do cool stuff? Cristina being a bit of a chipmunk at this point

You won’t find it that cool, most probably. I don’t get to dig into the GTPv2 as you do.

Absolutely unsatisfactory – I say. Nevertheless, our discussion digressed into an interesting side-area: security frameworks and how to do network architectures security assessments. I asked for a framework to do these assessment.

Ok I will recommend something – but I don’t usually stick to frameworks, as it depends on the assignment and other stuff more to me. Like experience. So I go by from my head – yueah I know it sounds bad, but it works for me, as long as I remember to include all the areas.

Again, completely unsatisfactory – I say. Still, continuing the discussion, I realise the guy is right: it _actually IS_ about experience. Whatever “framework” is just a nice area checklist to help you with not missing out on stuff. This guy has too much experience to use any frameworks at the moment, but I need something to start learning this stuff. I did find something, and my friend corroborated my findings. Fortunately, his examples and details from his experience nicely matched the framework that I also liked for my research: ITU-T X.805.

Finally, I’ve managed to get my favourite real-life geek (the non-real-life geek is Spencer Reed) to write an article (which shall become a series, I hope) for my blog. Here it goes, Alex.

=====

The other day I realised that working in the 4G/EPC field has some advantages. One is that I get to see how things work and that is the coolest thing, but sometimes you realise things are so complicated it may be a good idea to wait for a while before upgrading. Take for example the voice calls. In order to do voice calls in 4G you have 2 major options:

1. VoLTE which is VoIP using the 4G (LTE and EPC devices) and IMS network – this is how things should be done in a real 4G network

2. CSFB (Circuit Switched (CS) fallback TS 23.272) which means that when the UE(phone) needs to make or receive a call it is moved to an older 3GPP technology (2G/3G). This mechanism is used if the IMS network is not available or the UE is not able to do VoLTE for some reason (for example registration to the IMS network failed)

Mwell, if you do, then you’ll be happy to see I am still here, live and kicking. Lately I’ve focused on writing stuff for my PhD and therefore no techie article and very slow reply to answers (promise to get back to those who still have no answers to their inquires). Today, applauses for the 3GPP guys: they don’t expect the operators to simply put a Stop to whatever they were doing, upgrade to 4G every piece of their equipment, then Start over. Au contraire…mon frere 😛 They provide a way (actually, 2 ways) of gradually upgrading a 2G/3G network to a 4G fancy network.

Today, I’m gonna present briefly one of them: Iu mode inter-RAT Handover. This is also a subject for my next article – but I’m not going to copy-paste it, as it might get rejected.

First of all, let’s take a quick look at how those fancy network equipments connect to each other in a 3G-4G handover case.

Mwell. So, what do you have here?

From the 3G side….(applauses…applauses): a RNC and a SGSN. We assume our UE is connected to a 3G network. But, as the operator has (at least partially) upgraded to 4G, there is no more GGSN. The SGSN is connected to the SGW via S12 interface. Unlike MME, which is a dedicated control-plane device, the SGSN transfers both control-plane and user-plane information. The simply dotted lines in the picture represent the air interface. The dotted and stroke connections represent interfaces where there are two types of traffic being delivered: control-plane and data-plane.

On the 4G side, the usual and familiar elements: eNB, MME, SGW. The PGW, HSS and PCRF are there to stay.

The SGSN talks to the MME via the S3 interface. And, in this case, the handover will directly forward packets from the source RNC to the target SGW via the S12 interface. If you consider that the S12 interface does not exists, then we are facing a case similar to what we call “indirect tunneling” in the intra-EUTRAN handovers. In this case, when the source RNChas no direct way of forwarding the UE’s packets (those that are sent in downlink after the UE had already moved to 4G) to the target SGW, it will use the S4 interface to forward these packets to a dedicated SGW for indirect tunneling.

Without detailing each packet (maybe later on, on another post), let’s have a quick look at the message exchange between these entities in the 3G to 4H handover scenario. ! My picture ! (long live good old “dia” software)

Yes, there is some TAU also, as far as I understand from the TS 23.401, in these inter-RAT handovers, the TAU always takes place. And also, the TAU packets carry a most important information: the updated security credentials of the new 4G connection…